Guys, I need help to solve such task.
I’m trying to implement a sandbox, which would have virtualize system registry. What you think about that? It is planned to implement as a driver (i. e. kernel mode) and reparse mechanism (such as, FileSystem virtualization, for example). I know that for registry there are two methods for drivers 1)registry callbacks 2)parse procedure hooking. But with registry callbacks I can’t control with registry operation, actually, only notify. In other side, parse procedure hooking of Registry object is a not legal way. Also, this virtualize should work at x64 too.
May be there are reasons for implement it from user mode? But I think that, in such case, it can be bypassed, by a malware, for example.
Thank you for all suggestions!
On 27-Feb-2012 11:48, xxxxx@yandex.ru wrote:
Guys, I need help to solve such task.
I’m trying to implement a sandbox, which would have virtualize system registry. What you think about that?
Already done (in many variants; from a real kernel “hooking” to usermode
hooking). Why again?
[snip]
May be there are reasons for implement it from user mode? But I think that, in such case, it can be bypassed, by a malware, for example.
Yes. But a well-made malware will escape your virtualization anyway.
– pa
>But with registry callbacks I can’t control with registry operation,
actually, only notify.
Not only notify. You can modify the Pre-Operation-Callback-Parameters and
return STATUS_CALLBACK_BYPASS
As was stated with Win7 (and to some degree Vista) you can modify the
callbacks. For XP and earlier you are stuck with hooking, even though
that is ugly. I have implemented a driver with two wrappers one for XP
and one for Win7 with the core functionality the dame for both.
Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
“xxxxx@yandex.ru” wrote in message
news:xxxxx@ntdev:
> Guys, I need help to solve such task.
>
> I’m trying to implement a sandbox, which would have virtualize system registry. What you think about that? It is planned to implement as a driver (i. e. kernel mode) and reparse mechanism (such as, FileSystem virtualization, for example). I know that for registry there are two methods for drivers 1)registry callbacks 2)parse procedure hooking. But with registry callbacks I can’t control with registry operation, actually, only notify. In other side, parse procedure hooking of Registry object is a not legal way. Also, this virtualize should work at x64 too.
> May be there are reasons for implement it from user mode? But I think that, in such case, it can be bypassed, by a malware, for example.
>
> Thank you for all suggestions!
Guys, thank you, as I thought there are two approaches one for w2k and XP and 2-nd for vista and win7. But what about Windows XP x64, for example? Is it supports such callbacks (with STATUS_CALLBACK_BYPASS)?
And did you can explain how I should implement reparse methods with support of notify callbacks? This necessary for reflecting some of application request to my registry storage - key that will contain modified keys and values. With interception of registry reparse method I know how perform it.